← All articles

DNS Catalog Zones: simplifying your slave configuration

· 6 min

If you manage multiple DNS servers, you know the problem: every time you add a zone to your primary, you also need to update your secondaries. With 10 zones, that's manageable. With 100+, it becomes an operational risk.

Catalog Zones solve this. Instead of configuring each zone separately on your slaves, you maintain one special zone (the catalog) and your secondaries pick up the rest automatically.

How it works

A Catalog Zone is a regular DNS zone that contains references to other zones. The secondary DNS server reads the catalog via a normal zone transfer (AXFR/IXFR) and automatically configures all zones listed in it.

The structure of a catalog zone looks like this: 

; Catalog Zone for secondary DNS
catalog.example.com.  SOA   ns1.example.com. admin.example.com. (
                      2024123101 3600 900 604800 86400 )
catalog.example.com.  NS    invalid.

; Version of the catalog zone format
version.catalog.example.com.  TXT  "2"

; Zones the secondary should serve
example.com.zones.catalog.example.com.       PTR  example.com.
client-a.com.zones.catalog.example.com.      PTR  client-a.com.
client-b.com.zones.catalog.example.com.      PTR  client-b.com.

When you add a zone to the catalog, the secondary detects this via the next zone transfer and automatically starts serving that zone. No manual configuration needed.

PowerDNS as primary

In PowerDNS, you configure the catalog zone in pdns.conf: 

catalog-zones=catalog.example.com

Every zone you add to PowerDNS can then be automatically included in the catalog. The secondary gets a NOTIFY, does a zone transfer, and is up to date.

Knot DNS as secondary

Knot has native support for catalog zones as a consumer. In knot.conf: 

zone:
  - domain: catalog.example.com
    master: 10.0.0.1
    catalog-role: interpret
    catalog-template: default-slave

Knot reads the catalog zone and automatically creates slave zones for every entry.

Why this is useful

  • Less configuration. No manual updating of slave configs for every new zone.
  • Fewer errors. Forgetting to add a zone to a secondary is a thing of the past.
  • Scalability. Works equally well with 10 or 1000 zones.
  • Standard. Defined in RFC 9432, supported by PowerDNS, Knot, and BIND 9.11+.

Production experience

I use this setup in my own DNS infrastructure: PowerDNS as authoritative primary, Knot as secondary, with catalog zones for automatic synchronization. It eliminates an entire category of operational errors and makes adding new zones trivial.

The full article with more configuration details is on my personal blog. Need help with your DNS architecture? I help with PowerDNS, Knot, DNSSEC, and complex multi-server setups through Bouwhuis IT.

Read the full article on my personal blog →

Need help with this topic?

Through Bouwhuis IT I help businesses with exactly these kinds of challenges.

Contact Schedule a call